Open menu
-->

Enable AWS Config

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 10 November 2017
Security

Risk level: High (act today)

Ensure that AWS Config service is enabled in all regions in order to have complete visibility over your AWS infrastructure configuration changes.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Once enabled, the Config service detects your existing AWS resources and records their current configurations and any changes made to them later. The data recorded by this service can be extremely useful for your compliance team during security auditing or troubleshooting sessions, as it can determine how a resource was configured at a certain point in time and what relationships had with other resources. Note: The AWS resources currently supported by the Config service are VPC, EC2, EBS, IAM and CloudTrail.

Audit

To determine if AWS Config is enabled in the current AWS region, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/:

  1. If the AWS console redirects your request to the Get started page: Get started page, the service was / is not enabled in the selected AWS region.
  2. If the AWS console redirects your request to the Resource inventory page, click the Status link: Get started page and check AWS Config status in the Service status dialog box. If Configuration recorder stopped warning is displayed, the Config service was previously activated but the recorder is currently stopped, meaning that the service is disabled in the selected region.

03 Change the AWS region from the navigation bar:

Change the AWS region from the navigation bar

and repeat step no. 2 for each region available.

Using AWS CLI

01 Run get-status command (OSX/Linux/UNIX) to return the status of all configuration recorders and delivery channels created by the Config service in the selected region:

	aws configservice 
	--region us-east-1 get-status

02 The command output should expose the status for any AWS Config delivery channel and configuration recorder available in the selected region:

  1. If the service was / is not enabled the list for both configuration recorders and delivery channels should be empty:
    Configuration Recorders:
    Delivery Channels:
    
  2. If the service was previously enabled but it's currently disabled, the status for configuration recorders should be set to OFF:
    Configuration Recorders:
    name: default
    recorder: OFF
    
    Delivery Channels:
    name: default
    last stream delivery status: FAILED
    

03 Repeat step no. 2 for each AWS region available.

Remediation / Resolution

To enable AWS Config in all regions available, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Config dashboard at https://console.aws.amazon.com/config/ and click Get Started Now to open the Set up AWS Config page.

03 Under Resource types to record section:

  1. To track all supported AWS resources, in the All resources category, do the following:
    • Check Record all resources supported in this region to track configuration changes for every supported type of regional AWS resource.
    • Check Include global resources to include any types of global AWS resources (e.g. AWS IAM) to the existent list of supported resources.
  2. To track only a subset of the available resources, in the Specific types category, select the preferred resource(s) available in the dropdown list.

04 Under Amazon S3 Bucket* section designate the S3 bucket that will receive the service configuration history and configuration snapshot files. This data can be used later with the AWS Config console timeline or a 3rd-party tool. Select one of the following options based on your needs:

  1. Create a new bucket - to use a brand new S3 bucket for storing the configuration history data.
  2. Choose a bucket from your account - to use an existing S3 bucket.
  3. Choose a bucket from another account - to use an existing bucket from another AWS account. Ensure that the selected S3 bucket grants access permissions to AWS Config.

05 Next to Bucket Name*, enter a unique name and a prefix (optional) for the S3 bucket selected at previous step.

06 Under Amazon SNS Topic section, check Enable configuration changes and notifications to be streamed to an Amazon SNS topic so the AWS Config can send configuration changes notifications to an SNS topic. Select one of the following options based on your needs:

  1. Create a new topic - to create a new SNS topic for sending notifications.
  2. Choose a topic from your account - to use an existing SNS topic.
  3. Choose a topic from another account - to use an existing SNS topic from another AWS account. Ensure that the selected SNS topic grants access permissions to AWS Config.

07 In the Topic Name* field, enter a unique name for the SNS topic selected at previous step. In case you choose an SNS topic from another account, you will need to provide that topic ARN (Amazon Resource Name) instead of its name.

08 Click Continue button.

09 On the AWS Config is requesting permissions to read your resources configurations page, click View Details and View Policy Document to review the IAM role required by the service and its policy (created by default), then click Allow.

10 On the Resource inventory page, under Recording is on section, you should see the Taking inventory... event status in progress. The Config service setup process is completed once the Taking inventory... status label is no longer visible.

11 To stream AWS Config configuration changes notifications to the SNS topic created earlier, navigate to AWS SNS dashboard at https://console.aws.amazon.com/sns/v2/.

12 In the left navigation panel, select Topics and open the SNS topic specified during the AWS Config setup by clicking on its ARN name:

AWS Config setup by clicking on its ARN

13 On the Topic Details <topic name> page, under Subscriptions section, click the Create subscription button.

14 Select Email as subscription protocol from the Protocol dropdown list and for the Endpoint enter the email address where you will receive the AWS Config notifications.

15 Click Create Subscription.

16 Use your email client application and open the message from AWS Notifications, then click on the appropriate link to confirm your subscription to the SNS topic.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create an S3 bucket in the selected region. The bucket will be used by AWS Config for storing configuration history and configuration snapshot files:

aws s3api create-bucket
	--bucket MyConfigS3Bucket
	--region us-east-1
	--create-bucket-configuration LocationConstraint=us-east-1

02 The command output should return the new S3 bucket location (URL):

{
    "Location": "http://myconfigs3bucket.s3.amazonaws.com/"
}

03 Run create-topic command (OSX/Linux/UNIX) to create an SNS topic in the selected region. The SNS topic will be used by AWS Config for sending notifications each time a new snapshot of the current configuration is taken or each time it detects a resource config change:

aws sns
	--region us-east-1 create-topic
	--name MyConfigSNSTopic

04 The command output should return the new SNS topic ARN (Amazon Resource Name):

{
    "TopicArn": "arn:aws:sns:us-east-1:123456789012:MyConfigSNSTopic" 
}

05 Run subscribe command (OSX/Linux/UNIX) to send the subscription confirmation message to the notification-endpoint (in this case the endpoint is an email address):

aws sns subscribe
	--topic-arn arn:aws:sns:us-east-1:123456789012: MyConfigSNSTopic
	--protocol email
	--notification-endpoint admin@domain.com

06 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the subscription by validating the token sent to the notification endpoint selected:

aws sns confirm-subscription
	--topic-arn arn:aws:sns:us-east-1:123456789012:MyConfigSNSTopic
	--token 6554392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19328d3c217426bcafa9c501a2cace93b83f1dd3797627467553dc438a8c974119496fc3eff026eaa5d14472ded6f9a5c43aec62d83ef5f49109da717458

07 Create a trust policy for the new IAM role required by AWS Config. Make a new policy document called config-role-trust-policy.json and paste the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "config.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

08 Run create-role command (OSX/Linux/UNIX) to create the new IAM role called MyConfigRole. This role enables AWS Config to send configuration history and configuration snapshots to the MyConfigS3Bucket S3 bucket and stream messages to the MyConfigSNSTopic SNS topic created earlier:

aws iam create-role
	--role-name MyConfigRole
	--assume-role-policy-document file://config-role-trust-policy.json

09 Create the necessary policy for the IAM role instantiated at the previous step. Make a new policy document called config-role-policy.json and paste the following (replace the highlighted details with your details):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "appstream:Get*",
                "autoscaling:Describe*",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:GetTemplate",
                "cloudformation:List*",
                "cloudfront:Get*",
                "cloudfront:List*",
                "cloudtrail:DescribeTrails",
                "cloudtrail:GetTrailStatus",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*",
                "config:Put*",
                "directconnect:Describe*",
                "dynamodb:GetItem",
                "dynamodb:BatchGetItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "ec2:Describe*",
                "elasticache:Describe*",
                "elasticbeanstalk:Check*",
                "elasticbeanstalk:Describe*",
                "elasticbeanstalk:List*",
                "elasticbeanstalk:RequestEnvironmentInfo",
                "elasticbeanstalk:RetrieveEnvironmentInfo",
                "elasticloadbalancing:Describe*",
                "elastictranscoder:Read*",
                "elastictranscoder:List*",
                "iam:List*",
                "iam:Get*",
                "kinesis:Describe*",
                "kinesis:Get*",
                "kinesis:List*",
                "opsworks:Describe*",
                "opsworks:Get*",
                "route53:Get*",
                "route53:List*",
                "redshift:Describe*",
                "redshift:ViewQueriesInConsole",
                "rds:Describe*",
                "rds:ListTagsForResource",
                "s3:Get*",
                "s3:List*",
                "sdb:GetAttributes",
                "sdb:List*",
                "sdb:Select*",
                "ses:Get*",
                "ses:List*",
                "sns:Get*",
                "sns:List*",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "sqs:ReceiveMessage",
                "storagegateway:List*",
                "storagegateway:Describe*",
                "trustedadvisor:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject*"
            ],
            "Resource": [
                "arn:aws:s3:::MyConfigS3Bucket/AWSLogs/123456789012/*"
            ],
            "Condition": {
                "StringLike": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketAcl"
            ],
            "Resource": "arn:aws:s3::: MyConfigS3Bucket"
        },
        {
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "arn:aws:sns:us-east-1:
                         123456789012:MyConfigSNSTopic"
        }
    ]
}

10 Run put-role-policy command (OSX/Linux/UNIX) to apply the policy document saved in the config-role-policy.json file to the MyConfigRole role:

aws iam put-role-policy
	--role-name MyConfigRole
	--policy-name config-policy
	--policy-document file://config-role-policy.json

11 Run subscribe command (OSX/Linux/UNIX) to create the AWS Config default delivery channel and configuration recorder for the selected region. The following example describes the S3 bucket and SNS topic to which AWS Config will deliver configuration data using the IAM role created earlier:

aws configservice subscribe
	--region us-east-1
	--s3-bucket MyConfigS3Bucket
	--sns-topic arn:aws:sns:us-east-1:123456789012:MyConfigSNSTopic
	--iam-role arn:aws:iam::123456789012:role/MyConfigRole

12 The command output should return the new AWS Config delivery channel and configuration recorder metadata:

Using existing S3 bucket: MyConfigS3Bucket
Using existing SNS topic: arn:aws:sns:us-east-1:
                          123456789012:MyConfigSNSTopic
Subscribe succeeded:

Configuration Recorders: [
    {
        "recordingGroup": {
            "allSupported": true,
            "resourceTypes": [],
            "includeGlobalResourceTypes": true
        },
        "roleARN": "arn:aws:iam::123456789012:role/MyConfigRole",
        "name": "default"
    }
]

Delivery Channels: [
    {
        "snsTopicARN": "arn:aws:sns:us-east-1:
                        123456789012:MyConfigSNSTopic",
        "name": "default",
        "s3BucketName": "MyConfigS3Bucket"
    }
]

References

Publication date Sep 26, 2016